Overview

DirectAccess settings configured when you run the
DirectAccess Configuration Wizard in the Forefront UAG Management
console are collected into group policy objects (GPO). Three
different GPOs are populated with DirectAccess settings, and
distributed as follows:

Application servers GPO—This GPO contains settings for
selected application servers to which you optionally extend
authentication and encryption from DirectAccess clients. If
authentication and encryption are not extended then this GPO is not
used.

GPOs can be configured in two ways:

You can specify that the Forefront UAG DirectAccess
Configuration Wizard should create the GPOs automatically. A
default name is specified for each GPO. As long as the GPO does not
exist in the domain you can modify the domain in which the GPO will
be created, and the GPO name.

You can use GPOs that have been predefined by the Active
Directory administrator.

Automatically created GPOS are applied according to the
location and link target parameter, as follows:

The DirectAccess server GPO, both the location and link
parameters point to the domain containing the Forefront UAG
DirectAccess server. This is true for a standalone server or for an
array configuration.

When client and application servers GPOs are created, the
location is set to a single domain in which the GPO will be
created. The link target is set to the domains containing the
client computers and application servers. The GPO is created once
and links are created in the other domains. When the client and
application server GPOs are filled, the link target is disabled.
The location is set to all of the client and application server
domains. The GPO name is looked up in each domain, and filled with
DirectAccess settings if it exists.

Requirements

GPO requirements are as follows:

To apply DirectAccess settings in GPOs, note the following
permissions requirements:

The administrator who runs the configuration script must have
GPO create permissions for each required domain. The administrator
also requires link permissions to all the selected client domain
roots (in security group mode), or to all the selected OUs (in OU
mode).

If the Forefront UAG administrator does not have create
permissions on the domain, the administrator must send the script
to a user with the required permissions.

It is recommended that the Forefront UAG administrator
configuring DirectAccess has GPO read permissions for each required
domain. If not, the Forefront UAG user interface will not be able
to discover the GPOs and validations might fail.

If you want to load DirectAccess configuration settings into
predefined GPOs, note the following:

The GPOs should exist before running the wizard.

When you select to use predefined GPOs, validation occurs. If
the specified client GPO name does not exist in at least one client
domain, or the server GPO name does not exist in the Forefront UAG
DirectAccess server domain, a message appears with instructions on
how to proceed.

Limitations

The following limitations apply:

When deploying end-to-end extended authentication and
encryption between DirectAccess clients and internal application
servers, a GPO is applied to the internal servers. These servers
must reside in the same forest as the Forefront UAG DirectAccess
server.

Planning steps

To plan for predefined GPOs do the following:

Create the DirectAccess server GPO in the DirectAccess server
domain, with the permissions detailed in Requirements. Create a link to the either the OU
that will contain the DirectAccess server, or to the domain root if
DirectAccess server will be defined using a security group.

Create a client GPO with the same name in each domain that
contains computers that will be defined as DirectAccess clients,
with the permissions detailed in Requirements. Configure links as required. Do not
configure cross-domain links. Forefront UAG DirectAccess fills
these GPOs with the client settings.

If you will deploy end-to-end extended authentication and
encryption between DirectAccess clients and specified internal
application servers, create an application server GPO with the same
name in each domain that contains the application servers, with the
permissions detailed in Requirements.
Configure links as required.